1

Risk Management in Information Systems Projects

Luca Álvares Guedes Vaz [email protected]

Instituto Superior Técnico, Lisboa, Portugal May 2016

 Although there are several Risk Registers, they lead to a Abstract— All Information Systems Projects involve risk of problem where they may have common objectives and some sorts and these projects are becoming increasingly complex, purposes, but are structured in different ways. intensifying therefore the probability of various risks. Risks This big diversity of Risk Registers is the problem cannot be avoided but they can be managed in ways that they are recognized and their impacts accepted, avoided, mitigated or addressed by this work, resulting in a proposal for a generic transferred. Frameworks like, PMBOK and PRINCE2 provide Reference Risk Register. guidance and principles that contribute to achieving success in Risk Management processes in Project Management. The Risk register, sometimes referred to as risk log, is a key 2. RELATED WORK part of documenting any risk analysis effort and one of the most important supporting tools of risk management, enabling storage 2.1 ISO Standards and communication of information in a relevant, consistent and concise manner. This could take various forms such as a The International Standard, ISO 31000:2009, entitled Risk spreadsheet or database and will act as a central repository for Management – Principles and Guidelines [1] , will ensure that the information gained on each risk. the information about risk derived from these processes is The purpose of this dissertation is to propose a reference risk adequately reported and used as a basis for decision-making at register, based specific a domain model, following a methodology all relevant organizational levels. This framework is intended which will allow the creation of a Reference Risk Register. to assist the organization to integrate risk management into its

management system. The risk management process should be Keywords—Risk Management, Risk Register and Project Management an integral part of management, embedded in the culture and practices, and adapted to the business processes and context of the organization. 1. INTRODUCTION The processes for Risk management implementation is presented in Figure 1. All projects have risks. These risks come from the nature of the work, from the resources, the contractual relationships or the political factors. The subject of risk management has become increasingly important for different organizations. This is the result of the increasing use of projects in association with project management techniques, which are needed for achieving desired changes in the organizations. Considering that cooperation amongst organizations is fundamental, compliance with international standards is important for better acceptance of process activities and objectives. Risk Register, sometimes referred to as risk log, is a key part of documenting any risk analysis effort and one of the Figure 1.ISO31000 Risk Management Processes. Extracted from [7] most important supporting tools of risk management, enabling storage and communication of information. But all the risk The ISO 31000 is important for this dissertation because it Registers found were not consistent, thus making it difficult to focuses on frameworks for risk management and processes to structure, being that there is such diversity to the structure, this implement it. These frameworks are an important and complex makes it quite difficult and complicated for one to reuse and area of project management and will constitute the basis for compare them. developing the narrative of this dissertation. There is also the ISO Guide 73:2009 [3] that provides the definitions of generic terms related to risk management. It provides a coherent

2 approach to the description of activities relating to the 3 PROBLEM ANALYSIS management of risk, and the use of risk management 3.1 Risk Management in Project Management terminology in processes and frameworks dealing with the management of risk. In this dissertation, Risk Management is considered a The ISO 21500 is an international standard, which is intended Project Management process. to provide guidance, explain core principles and what Effective risk management strategies allow the constitutes good practice in project management. identification of a project’s strengths, weaknesses, ISO 21500:2012, Guidance on Project Management, as quoted opportunities and threats. To ensure the project’s success, we in [6] :”ISO 21500 provides generic guidance on the concepts must define how we will handle potential risks so we can and processes of project management that are important for identify, mitigate or avoid problems when needed. the successful realization of projects.” This ISO can be used The benefits of risk management in projects are huge. The by any type of organization, including public, any result will be the minimization of the impact of project threats organizations and for any type of project, regardless of and seizing of the opportunities that might occur. There are complexity, size and duration. It can be aligned with other some important steps to perform when using the risk standards, such as, ISO 31000:2009, Risk Management. management processes in projects. First always have a risk management strategy or a plan risk management, then identify 2.2 Relevant Frameworks risks early, communicate the risks, clarify ownership issues, prioritize risks, analyze risks, plan and implement risk The Guide to the Project Management Body of Knowledge responses, maintain a risk register and finally monitor the (PMBOK) provides guidance in individual projects risks. management and the concepts related to it [5] . Furthermore it There are some standards and some useful frameworks is very relevant in providing and promoting a common such as PMBOK and PRINCE2, as explained in section 2.1.2, vocabulary within the project management as this facilitates that are very similar in how they act in helping us to have a communication within the profession when using and applying good risk management strategy. project management concepts. The PMBOK adopts a modern education model for project management. It is organized as a body of knowledge, containing nine knowledge areas. One of the areas is Project Risk Management. PRINCE2 has some guidance on the management of risk in projects. It makes a distinction between business risk and project risk. Business risk, which is the responsibility of the project board, relates to things that might damage the business case. Project risks are those things, which could prevent the achievement of the project objectives. PRINCE2 recommends that an assessment of risk should be made at the inception of a project and that risks should thereafter be reviewed at significant points in the lifecycle of the project, such as the transition between stages. This framework is a scalable, flexible project management method, suitable for use on any type and any size of project. In PRINCE2 the purpose of risk management is to identify, assess and control uncertainty and, as a result, to improve the ability of the project to succeed [9]. Basically the PMBOK and PRINCE2 are frameworks with Figure 2. The Risk Management Process. Extracted from [7] different processes, both somehow using the same definitions and methods in Risk Management. This also happens for other In Figure 2 is presented the generic risk management frameworks, some names are different but their purposes are process. the same. 3.2 The relevance of a Risk Register

Risk register (sometimes referred to as risk log) is a key part of documenting any risk assessment effort (including the identification, analysis and the evaluation) and one of the most important supporting tools of risk management, enabling storage and communication of information in a relevant, consistent and concise manner. This could take various forms like a spreadsheet or database and will act as a central repository for the information gained on each risk. Most of the risk registers found were not consistent, it is also important to recognize that there is a great diversity of these risk registers, 3 which makes it very difficult to reuse and to compare between Besides the WBS there are also: them.  OBS (Organization Breakdown Structure). In Table 1 are pointed the activities referred in ISO21500, Categorizing risks using the OBS shows where risks lie in PMBOK and PRINCE2, where the concept of risk register is relation to the areas of responsibility of the various referred to as an input or an output. individuals, teams or groups in the project organization, and can be used to propose appropriate risk owners for risks. ISO21500 risk INPUT OUTPUT  CBS (Cost Breakdown Structure). Linking risks into processes the CBS allows the cost of risk impacts and planned risk Identify Risk Project Plans Risk Register responses to be mapped into the project budget, exposing Assess Risk Risk Register Prioritized Risks which cost elements are most uncertain, allowing Treat Risk Risk Register Risk responses calculation of an appropriate risk budget, and suggesting Control Risk Risk Register, Corrective actions where contingency might be required. Risk responses PMBOK risk INPUT OUTPUT  RBS (Risk Breakdown Structure). Grouping risks processes by the RBS indicates common sources of risk, allowing Identify Risk Risk Management Risk Register preventative measures to be taken, and increasing the Plan, Project efficiency of risk responses by targeting root causes to documents tackle multiple related risks. Perform Risk Register Project documents  RiBS (Risk impact Breakdown Structure). Mapping Qualitative Risk updates risks against the RiBS allows analysis of the types of risk Analysis exposure faced by the project, indicating where the Perform Risk Register Project documents management team should focus attention when developing Quantitative Risk updates risk responses. Analysis Plan Risk Risk Register Project documents Responses updates A better solution to the structuring problem for risk Monitor and Risk Register Change requests, management would be to adopt the full hierarchical approach Control Risk Project documents used in the WBS. Such a hierarchical structure of risk sources updates should be known as a Risk Breakdown Structure (RBS). PRINCE2 risk INPUT OUTPUT The RBS indicates the source from which the risk has processes arisen. Another key characteristic of a risk is its consequence Identify Risk Risk Management Risk Register or impact and for that impact characteristic there is the Strategy hierarchy called the Risk Impact Breakdown Structure (RiBS). Assess Risk Risk Register Risks evaluated Plan Risk Register Risk responses Implement Risk Register Corrective actions 4 PROCESS DEFINITION Communicate Risk Register Communicate the status of the risks Table 1. Inputs and Outputs of the risk processes from ISO21500, This process definition follows the principles, guidelines, PMBOK and PRINCE2. techniques and concepts provided by the ISO 31000 family standards [1] [2] . To provide background on the terms used, some of the terms are presented below, accordingly to the ISO-Guide73 Risk Management – Vocabulary [3]: 3.3 Risk Breakdown Structure Assets - anything that has value for an organization or for a project. The risk management process aims to identify and assess Events - the occurrence or change of a particular set of risks in order to enable the risks to be understood clearly and circumstances. managed effectively. There are many techniques for risk identification. These Consequences - the outcome of an event, which affects identification techniques tend to produce an unstructured list objectives. of risks that often do not assist the project manager in knowing Risk - effect of uncertainty on objectives. An effect can be where to focus risk management attention. positive or negative. The most obvious demonstration in the value of structuring within project management is the Work Breakdown Structure (WBS), which is recognized as a major tool for the project manager because it provides a means to structure the work to be done and accomplish project objectives. The aim of the WBS is to present project work in hierarchical, manageable and definable packages to provide a basis for project planning, communication, reporting, and accountability.

4

4.1 Methodology 2.2 Risk Structuring In Figure 3 is presented the proposed methodology for the Now that we have a clear list of risks resulted from step creation of the Reference Risk Register. 1.3, this list is not structured, but a simple list of risk sources does not provide the richness of the WBS since it only presents a single level of organization. A solution to the structuring problem for risk management would be to adopt the full hierarchical approach used in the WBS. Such a hierarchical structure of risk sources should be known as a Risk Breakdown Structure (RBS). The RBS (Risk Breakdown Structure) will allow grouping risks and indicating sources of risks, the same with the RiBS (Risk impact Breakdown Structure) but this one will group by impact. And that will be the result of this step, a structure that will allow an overview of the risks for a better identification. Figure 3. Proposed methodology for the creation of the Risk Register

2.3 Populate the Reference Risk Register

This is the last step of the proposed methodology that This methodology is based on two iterations, each iteration consists in populating the reference risk register, but now with with 3 steps (the establishing of the context, the identification all the information we need, with the list of risks from within of the risks and then the analysis of the respective risks). the scope of the project the identifiers of the consequences, events and also with the small annotation where the risks can First iteration be found, the RBS levels (Level 1 and Level 2) from which the risk is mapped. In Figure 9 the reference risk register can

1.1. Establish the context be found, along with the RiBS levels (Level 1 and Level 2) The output of this iteration will be the definition of the from which the risk is mapped, these last two structures are assets and the definition of the scope. the result from step 2.2 of this methodology. Everything that, in advance, does not permit the start of a project, is out of the scope of the project, and the only concerns are the risks that have consequences on my assets 4.2 Domain Model between the start date and end date of the project, everything else is out of the scope. In Figure 4, is presented the proposed domain model for this

dissertation. 1.2. Risk identification Exhaustive analysis of risks and the population of the risks in an excel sheet. Once is established the context and identified the assets (Deliverables, Money and People), comes the phase of the identification of the risks and populate them in an excel sheet. The output of this step will be a list with all risks identified.

1.3. Analysis of the identified risks Risk analysis and removal of the risks that are not within the scope. In this step is described the analysis of the list of risks resulted from step 1.2. Some of the risks identified in step 1.2 were not within the scope of the project and the consequences were not over the assets defined in 4.4. After Figure 4. Domain Model identified the risks that are within the scope, comes the organization and structuring of the risk register with different The entities that compose this domain model are: columns, the identifiers of the Events and Consequences along Risk, that has a description of the risk; an Event_ID is the with an annotation of the risk. id number of the Event; Consequence_ID is the id number of the Consequence; Annotation is a column with a location of the risk; RBS Level 1 is the first level of the Risk Breakdown Second Iteration Structure, so it can be filtered for an easy identification of the 2.1 Establish the context risks; RBS Level 2 is the second level of the Risk Breakdown Use the same context as the 1.1, but now the output of this Structure, so it can be filtered for an easy identification of the iteration, along the output of the step 1.1, will be the risks; RiBS Level 1 is the first level of the Risk impact structuration of the list of risks obtained in step 1.3 using the Breakdown Structure, so it can be filtered for an easy Risk Breakdown Structure. identification of the risks; RiBS Level 2 is the second level of

5 the Risk impact Breakdown Structure, so it can be filtered for an easy identification of the risks. Event, that has an ID, so that can be easily identified when looking at the Risk; A description of the Event; Likelihood or probability of the Event. Consequence, that has an ID, so that can be easily identified when looking at the Risk; A description of the Consequence; Impact of the Consequence; and a column with the name of the asset that the consequence has impact on. Asset, with the name of the asset. Multiple events and multiple consequences can generate multiple risks as shown in Figure 4. The consequence is over one Asset, but one asset can have multiple consequences.

4.3 Establishing the Context

This chapter is the first step (1.1) “Establish the context” Figure 6. Overview of project management concepts and their of the first iteration on the proposed methodology. relationships. Extracted from [17] The definition of project scope makes clear what the project will contribute to the strategic goals of the organization. 4.4 Assets

In this dissertation the focus will be the Risk Identification process of the Risk Assessment process of ISO 31000 as As quoted in [18] Terms and Definitions a project risk is a “risk relating to delivery of a product, service or change, shown in Figure 5 and in the project management processes that has deliverables as presented in the green box in Figure 6, usually within the constraints of time, cost and quality.” As said in section 4.3, a project has activities with a start these are the processes where Risk Management have the Risk Identification process, everything that is out of the green box, and an end date, performed to achieve project objectives. Achievement of the project objectives requires the delivery like benefits, organizational strategy, business and other concepts are ignored. of deliverables conforming to specific requirements.[17] It is now clear that the definition of the risk management context

of a project is to focus on the threats that impact assets. As shown in Figure 6, inside the green box, these processes have an impact on any organization. These processes have also impact in the deliverables and clearly a project is evaluated by the deliverables that are produced. This is why the deliverables will be considered as an asset in this methodology. Another asset that will be considered is the staff (people) that participate in the project because people are the core of IT Projects and everything that has an impact on them will be relevant. The ultimate goal of any organization is to make money, every organization needs it and uses it to produce anything and for that reason money will be considered an asset for this methodology. With this said, the assets will be Deliverables, Figure 5. ISO 31000 Risk Management Process. Extracted from [7] Money and People.

Everything that, in advance, does not allow the start of a project, is out of the scope of the project, the only concern is all the risks that have consequences on my assets between the 4.5 Risk Register start date and end date of the project, everything else is out of the scope. Risk register (sometimes referred to as risk log) is a key part of documenting any risk analysis effort and one of the most important supporting tools of risk management, enabling storage and communication of information in a relevant, consistent and concise manner. This could take various forms like a spreadsheet or database and will act as a central repository for the information gained on each risk. 6

In this dissertation the reference risk register will take the 5.1 Process First Iteration form of an excel spreadsheet with the structure presented in Table 2. Step 1.1 - ―Establishing the context‖ of the proposed methodology: The output of this iteration will be the definition of the assets and the definition of the scope. As said in section 4.4 the assets considered in this methodology are: Deliverables - Time (A project is always temporary, if a deliverable is delivered on schedule or not, is very important Table 2. The reference Risk Register. and if it is not delivered on time there will be costs added to the project); Quality (Ensuring if the quality of a deliverable meets a certain level of measure of quality is extremely The proposed structure of the reference Risk Register has important from the standpoint of achieving the project’s nine columns, in those columns I propose there should be an success, also if certain quality criterias are not met it can be ID, it is important to have a description of the risk identified in cost added to the project). another column. Money (As seen in the previous asset, if time or quality are There is an event table that should have its ID related to its not assured it will affect the cost of the project, but that is not table. all, during the project money will be very important). ID consequence is related to the consequence table and People (Organizations work essentially with people, occupies another column. To find a page, paragraph, link of a projects are made by people). site, it is imperative to have a column with a location risk. Level 1, known as RBS, is the first level of the Breakdown Step 1.2 - ―Risk Identification‖ of the proposed Structure, it filters easily identifying the sources of the risks. methodology: Level 2, known as RBS, is the second level of the Exhaustive analysis of risks and the population of the risks Breakdown Structure, it filters precisely identifying the risks in an excel sheet. Once established the context and identified in level 1. the assets comes the search and identification of the risks. RiBS Level 1 is the first level of the Risk impact After all the risks are identified, these risks are documented Breakdown Structure, it filters for an easy identification of the in an excel sheet draft, where in step 1.3 the risks will be impact of the risks; analysed. The result of step 1.2 is a list with all identified RiBS Level 2 is the second level of the Risk impact risks, but in this list is presented some risks that are not in the Breakdown Structure, it detects the impact of the risks already scope of the project and that are not over the assets defined in seen in level 1. section 4.4. The next step will be the analysis of the risks identified because it is clear that some risks are not within the The structure of this Reference Risk Register will be scope of the project and some are ambiguous risks. further populated with the risks identified, as presented in the proposed methodology mentioned in section 4.1, it will be Step 1.3 – ―Result Analysis‖ of the proposed methodology: populated in the second iteration step 2.3 “Populate Reference Risk analysis and removal of the risks that are not within Risk Register”. the scope. In this step is described the analysis of the list of risks resulted from step 1.2. 5 PROCESS APPLICATION The risks that do not have the consequence over the assets will be moved to the excel sheet “Out of context”. The risks The first objective of the application of the process was to considered ambiguous will be moved to another sheet called apply it to a set of bibliography found on the Internet, but “Ambiguous risks”. unfortunately, the bibliography that was found was quite An out of context risk means that the risk is not in the scope disperse and inaccurate, as said in section 1.1, most of the of the project, every risk that occurs before the start of a Risk Registers and bibliography found was not consistent, project or that the consequence of the risk is not over the there were several examples of risks without any context assets deliverable, money and people is out of scope and if the established, the only thing that was credible was the Project risks are ambiguous means that it is a risk that has several Management for Information Systems[7] where the process possible meanings or interpretations and is difficult to with two iterations was applied. comprehend and classify. After removing all risks that are not within the scope or that the consequences are not over the assets defined, it is time to organize the register, clarifying the events and the

consequences of the risks, creating an excel sheet with the

consequences, another for the events and the main one with the risks and the respective events and consequences identifiers. Having a list of risks sorted and analyzed, this list is not

7 structured so the next step would be to re-analyse the context and add to it, an appropriate structure.

5.2 Process Second Iteration

Step 2.1 - ―Establishing the context‖ of the methodology: The output of this iteration will be the definition of the assets and the definition of the scope, the same as step 1.1, but now adding to the existing context, a breakdown structure, using the RBS that is a source-oriented grouping of project risks that organizes and defines the total risk exposure of the project. Each descending level represents an increasingly detailed definition of sources and risk to the project for a better identification and analysis of the risks.

Step 2.2 - ―Risk Structuring‖: The most obvious demonstration of the value of structuring within project management is the Work Breakdown Structure (WBS), now that we have a clear list of risks, this list is not structured, but a simple list of risk sources does not provide the richness of the WBS since it only presents a single level of organization. The WBS that is recognized as a major tool for the project manager because it provides a means to structure the work to be done to accomplish project objectives. The aim of the WBS is to present project work in hierarchical, manageable and definable packages to provide a basis for project planning, communication, reporting, and accountability. Besides the Figure 7. ISO 31000 Risk Management Process WBS, in projects there is also the OBS (Organizational Breakdown Structure) and CBS (Cost Breakdown Structure). A better solution to the structuring problem for risk management would be to adopt the full hierarchical approach used in the WBS. Such a hierarchical structure of risk sources should be known as a Risk Breakdown Structure (RBS). The RBS indicates the source from which the risk has arisen. Another key characteristic of a risk is its consequence or impact having this, there is another risk-related hierarchy called the Risk Impact Breakdown Structure (RiBS). The way I structured the RBS was by guiding myself with a generic structure of RBS from [14], I analyzed risk by risk, to see where I could insert them in the structure, making sense thus constructing a new structure. I did the same process with RiBS, first by identifying my assets (Deliverables, Money, and People), that in level 1 the impact would be over my assets and then in level 2 would be specified depending on their risks. Level 2 of each structure was made within the formation of identifying all the risks. Basically the RBS (Risk Breakdown Structure) group risks by their sources as presented in Figure 7. And the RiBS (Risk impact Breakdown Structure) group by impact as presented in Figure 8.

Figure 8. ISO 31000 Risk Management Process

8

Using the RBS to structure the risk identification task Step 2.3 - ―Populate the reference risk register‖: provides assurance that all common sources of risk to the This is the last step of the proposed methodology that project objectives have been explored, assuming that the RBS consists in populate the reference risk register, now with all is complete. The same as RiBS that will provide assurance that the information we need. all common impacts on the assets of the project have been Now having: explored. The list of risks, with all the risks that are within the scope To conclude this step, the adoption of a range of of the project from the step 1.3; hierarchical categorization frameworks within the qualitative The identifiers of the consequences and events and also risk assessment step can go some way towards analysing the with the small annotation where the risk can be found also overall risk exposure of a project. While these will not replace from the step 1.3 the RBS levels (Level 1 and Level 2) from quantitative risk analysis methods, they do provide additional which the risk is mapped resulted from step 2.2 and the RiBS insight into where and how a project is exposed to risk. Use of levels (Level 1 and Level 2) from which the risk is mapped qualitative categorization also has the benefit of being easy to also from step 2.2. implement, and offers a hierarchical understanding of risk not With this information, now it is possible to populate the easily available from quantitative risk analysis models. reference risk register, the result is presented in Figure 9. The value of this type of mapping lies in its ability to support development of effective risk responses, by revealing different aspects of the risk exposure of the project. The use of hierarchical frameworks has an additional benefit in allowing responses to be developed at different levels, ranging from whole-project generic responses to detailed specific actions targeting particular hotspots of exposure.

Figure 9. Reference Risk Register

ONCLUSION 6 C management processes. A set of international standards on Risk and Project Management to complement the IS projects are becoming increasingly complex and are knowledge on these areas was also considered throughout subject to various risks. Risks cannot be avoided altogether the dissertation. but they can be managed in such a way that they are The approach to managing risk on a project should be recognized and their impacts either accepted, avoided, documented in a formal risk management plan or have a mitigated or transferred. suitable risk management strategy. The PMBOK and PRINCE2 frameworks, considered the The proposed methodology provided a set of steps and most important frameworks on Risk Management and iterations on how to create a reference risk register. Project Management were analysed, with the objective to This dissertation also proposed one way of structuring extract the most important guidance and practices on risk 9 the risks. There are other ideas for expanding and [10] Van Haren Publishing. Frameworks for IT structuring the risk register using the identified risks like, Management. itSMF-NL, 2006. on which parts of the project are most affected (WBS), [11] Hedmen B., Heemst G.V., Fredriksz H.. Van candidate risk owners (OBS), potential cost variation and Haren Publishing. Project Management, Based on contingency planning (CBS) and the ones described in this PRINCE2 2009 Edition. dissertation, common causes of risk (RBS), and major types [12] Cadle, J. & D. Yeates, D., Project Management of potential impact (RiBS). for Information Systems (5th edition., Harlow: These are five ways to structure or filter a register, if we Pearson – Prentice Hall, 2008). want to know the impact the various areas are having, we [13] Hillson, D. Use a Risk Breakdown Structure can analyse that in any of these items mentioned above. (RBS) to Understand Risks. 33rd Annual Project It is extremely important for risk assessment to have risk Management Institute Seminars & Symposium register, as a support. This dissertation focuses on the (PMI 2002), San Antonio, TX, USA , 2002. importance of creating a risk register and the importance it [14] Hillson, D. Understanding risk exposure using has for organizations. multiple hierarchies, Director, Risk Doctor & With this Structure Knowledge Base, Organizations have Partners, PMI Global Congress EMEA the power to create their own Risk Register, with their Proceedings – Budapest ,2007. consolidated ideas, knowing the potential problems, issues [15] Hillson, D. Using a Risk Breakdown Structure in that may happen during the projects, and having the Project Management, Journal of Facilities structure of the risk register, for an Organization to be able Management, 2003. to use it and profit from its benefits, following its [16] Hall, D. C. and Hulett, D. T. (2002) Universal guidelines, as proposed in my dissertation. For each project, Risk Project — Final Report, available from PMI when starting the creation of the risk register, this could be Risk SIG website: www.risksig.com / a base of work for when people working on a project could www.techriskmgt.com/home2link.html take advantage of it. [17] BS ISO 21500:2012 – Guidance on Project For future work, I suggest the validation of the reference Management, British Standards Institution risk register to an expertise panel, on the context of Project Standards Publication, 2012. Management. [18] BS ISO 31100:2012 – Risk management – Code of practice and guidance for the implementation of BS ISO 31000, British Standards Institution Standards Publication, 2012. REFERENCES [1] ISO. IEC/FDIS 31000 Risk management - Principles and guidelines, 2009. [2] IEC. Risk management – risk assessment techniques. IEC 31010:2009, International Electrotechnical Commission, 2009. [3] ISO. ISO - Guide 73 Risk management – Vocabulary, 2009. [4] ISO Standards. http://www.iso.org/iso/home/standards.html [Online]. [5] Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK® Guide). PMI Standard. Project Management Institute, Incorporated, 2013. [6] Stellingwerf R. & Zandhuis A., ISO 21500: Guidance on project management – A Pocket Guide, Van Haren Publishing, 2013. [7] Cadle, J. & D. Yeates, D., Project Management for Information Systems (5th edition., Harlow: Pearson – Prentice Hall, 2008). [8] Hedmen B., Seegers R.. Van Haren Publishing. PRINCE2 2009 edition – A Pocket Guide. [9] Peers K., Tuunanen T., Rothenberger M., and Chatterjee S.. A design science research methodology for information systems research. Journal of Management Information Systems, 2007.